Christian Hammond <> writes:

> If the external Review Board server is requiring Basic Auth for access
> (outside of our Basic Auth requests in the API), then that may be a
> problem. You're dealing with two different kinds of authentication. I'm not
> sure from your description whether things are set up so that Review Board
> is expecting Basic Auth for authentication using some custom backend, or if
> you just have an extra layer around the access to your server.
> Can you tell me more about the auth setup, and how/why things are set up
> this way?

Hi, Christian -- the machine I am calling
faces the public internet and is the "front door"/gatekeeper for
several services (of which ReviewBoard is one).  It requires
basic HTTP auth to get it to do anything at all.  It's DMZ-ish --
can't see any filesystems, etc.; just reverse-proxies requests
back to the right place.

ReviewBoard runs on (what I am calling)  We
need "users", so we can tell who did what, but
authentication/authorization aren't critical.  In the past,
passwords were a standard pattern that everyone knew.  (The
authentication that mattered was at the "front door".)

(Some old chat re REMOTE_USER etc is related -- "I already know
this person is OK, let's get on with it".  I can't tell if any of
that stuff is in modern ReviewBoard.)

With the standard Auth, it looked to me like the Authorization
HTTP header (with Basic auth info in it) was coming in from the
reverse proxy and ReviewBoard was using that to authenticate to
the Web API. (Yes?)  What I didn't quite get was: if I made the
ReviewBoard usernames and passwords the same as the "front door"
auth, i.e. the "correct" info should be in the Authorization HTTP
header, it still didn't quite work.  (E.g. I never got a Publish
button for a comment on a review.)

> Generally, I'd recommend not using Basic Auth for your Review Board server,
> and instead using something backed by LDAP, if you need some kind of
> external management of users.

For our ReviewBoard, pretty brainless auth would be fine (see
above).  LDAP would be overkill.  I'd actually prefer ReviewBoard
never saw users' real passwords.  Hmm... is there a way to just
blindly let them in?

(I am also not sure why... if you stick a ReviewBoard server
directly on -- still doing HTTP Basic auth
-- and get rid of the reverse-proxying, it all works fine.  I
can't quite see what difference the RB server sees.)

Maybe we'll figure it out :-)  Thanks for your help,


Supercharge your Review Board with Power Pack:
Want us to host Review Board for you? Check out RBCommons:
Happy user? Let us know!
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to